日志

协议分析

旺旺协议分析： 1.Get:http://sip.alisoft.com/sip/rest?sip_apiname=alisoft.getPlugins4ww&sip_appkey=16116&AppIdVers=8001:*,8003:*,17411:1.0&time=1259728937 2.Get:http://newallot.im.alisoft.com/imlogingw/tcp60login?ver=6.10.30&loginId=cntaobaoarnold78 返回旺旺客户端登录地址与端口，有很多个可选择 3.连接121.0.19.242:16000， 发送数据包80个字节。 (1)Login There are different packets in the login process : including UDP,TCP(not including HTTP),HTTP . We found that the HTTP packets can be divided into two classes: some are generated by Aliwangwang directly and the others are generated by Web browser (for example: IE, Firefox, Netscape, Opera).Only the HTTP packets generated by Aliwangwang should be focused on. The http packets generated by Aliwangwang have the following features: having the keywords with the hex format as “b0a2c0efcdfacdfa” in the User-Agent field differs from ordinary http pkts,some packets with keywords “the im.alisoft.com” and “Cookie: ali_” which also differ from ordinary http pkts Another phenomenon was noticed that even to the same remote ip and port , there are different HTTP packets falling the two different classes due to the different source port. After TCP's negotiation ,the packets with data has a obvious feature having the keywords with the hex format as “8f010100” in the first four bytes in data segment.This can be used to identify the link and this is the same in the following process. When login Aliwagnwang, there are two UDP packets generated to a ip belong to Hangzhou Telcomm,We deal with it also,although it is small. These udp packets have keywords with hex format as “8f010121” in the first four bytes. (2)Chat Text Chat When chat with text message, the packets are most tcp packets with the same features as the login process, so the same method can do it well. Audio chat: This process includes tcp and udp,they need to be processed respectively. Here Aliwangwang will interact with a nummber of servers to get information for example multimedia.im.alisoft.com , forum.split.taobao.com and establish the link and transfer udp packets with the audio data. Another phenomenon is that in the process Aliwangwang is trying to interact with the local ISP (for example:TianJin Telcomm and Tianjin CNC) and the Telcomm of Hangzhou. This will lead to some a number of UDP packets. Be luck enough, the UDP packets are identified. The UDP packets have the keywords of hex format as “52554450” in the first 4 bytes of the data segment. Video chat: This process is similar to the Audio chat above, so it is easy to deal with after the above effort on audio chat. (3)File Transfer In the process of file transfer between internet, there are the same feature in the TCP negotiation so the rules above can still work. And there emerge UDP packets with keywords of hex format as “710206” in the first 3 bytes. 细节如下: 1、 GET /sip/rest?sip_apiname=alisoft.getPlugins4ww&sip_appkey=16116&AppIdVers=8001:*,8003:*,17411:1.0&time=1259728937 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: SimpleHttpFetch Host: sip.alisoft.com Connection: Keep-Alive Cache-Control: no-cache Cookie: cna=tiVRAuqdA; __last_login_ww__=cntaobaoxmanjsj; ali_apache_id=125.34.66.73.51076032595087.6 -------------------------- HTTP/1.1 200 OK Date: Wed, 02 Dec 2009 04:41:46 GMT Server: Apache/2.2.11 (Unix) mod_jk/1.2.27 mod_AliCookie(for apache2.x)/1.1 Set-Cookie: ali_apache_sid=123.117.55.234.14972128906593.0|1259730706; path=/; domain=.alisoft.com X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA date=200707131605)/Tomcat-5.5 sip_status: 9999 Content-Length: 1460 Connection: close Content-Type: application/xml;charset=UTF-8 <?xml version="1.0" encoding="utf-8"?><WangWangPluginResult-array> <WangWangPluginResult> <appId>8001</appId> <appStatus></appStatus> <version>*</version> <isvId>1</isvId> <pluginMd5>233b76c8a205f9d85036d0fbe0f45a3c</pluginMd5> <secLevel>20</secLevel><errorCode></errorCode><sign>2dab3381a8911c86ad1970a4cb880ba6</sign><time>1259728937</time><apiLastModified>1238148658000</apiLastModified><slotLastModified>1238148658000</slotLastModified></WangWangPluginResult><WangWangPluginResult><appId>8003</appId><appStatus></appStatus><version>*</version><isvId>1</isvId><pluginMd5>847be8d432ec43ae1d884aad8428fe35</pluginMd5><secLevel>20</secLevel><errorCode></errorCode><sign>9ac6ee76252493f7d9efeef2f67a4385</sign><time>1259728937</time><apiLastModified>1238148658000</apiLastModified><slotLastModified>12</slotLastModified></WangWangPluginResult><WangWangPluginResult><appId>17411</appId><appStatus></appStatus> <version>1.0</version> <isvId>11888140</isvId> <pluginMd5>5a7d37ea646837b011257810d98ededf</pluginMd5> <secLevel>20</secLevel> <errorCode></errorCode> <sign>f85ba1fdac7ece9562637299d94f907f</sign> <time>1259728937</time> <apiLastModified>1244187533000</apiLastModified> <slotLastModified>1238148658000</slotLastModified> </WangWangPluginResult> </WangWangPluginResult-array> 2. GET http://newallot.im.alisoft.com/imlogingw/tcp60login?ver=6.10.30&loginId=cntaobaoarnold78 HTTP/1.1 Accept: */* Content-Type: text/html Proxy-Connection: Keep-Alive Host:newallot.im.alisoft.com ---------------------------------------------------- HTTP/1.1 200 OK Date: Wed, 02 Dec 2009 04:41:46 GMT Server: Apache/2.2.9 (Unix) Cache-Control: no-cache Content-Length: 297 Connection: close Content-Type: text/html;charset=utf-8 121.0.19.242:16000,121.0.19.220:16000,121.0.19.220:80,121.0.19.220:443,121.0.19.236:16000,121.0.19.236:80,121.0.19.236:443,121.0.19.232:16000,121.0.19.232:80,121.0.19.232:443,110.75.161.4:16000,110.75.161.4:80,110.75.161.4:443,121.0.30.203:16000,121.0.30.203:80,121.0.30.203:443,121.0.19.232:16000